TUCoPS :: Linux :: Conectiva :: bt1454.txt

apache CLA-2003:632 



----- Original Message -----
From: "Conectiva Updates" <secure@conectiva.com.br>
To: <conectiva-updates@papaleguas.conectiva.com.br>; <lwn@lwn.net>;
<bugtraq@securityfocus.com>; <security-alerts@linuxsecurity.com>;
<linsec@lists.seifried.org>
Sent: Wednesday, April 30, 2003 9:49 AM
Subject: [CLA-2003:632] Conectiva Security Announcement - apache


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------------------------------------------
--
> CONECTIVA LINUX SECURITY ANNOUNCEMENT
> - ------------------------------------------------------------------------
--
>
> PACKAGE   : apache
> SUMMARY   : Denial of service vulnerability
> DATE      : 2003-04-30 14:48:00
> ID        : CLA-2003:632
> RELEVANT
> RELEASES  : 9
>
> - ------------------------------------------------------------------------
-
>
> DESCRIPTION
>  Apache[1] is the most popular webserver in use today.
>
>  This update fixes two security vulnerabilities:
>
>  1. Denial of service (CAN-2003-0132)[3]
>  David Endler from iDefense reported[2] a denial of service condition
>  that affects the apache 2.0 branch which affects all unpatched
>  servers up to and including version 2.0.44.
>
>  There is a memory leak in these apache versions which can be remotely
>  triggered by sending large chunks of consecutive linefeed characters.
>  Each linefeed will cause the server to allocate 80 bytes of memory.
>
>  A remote attacker can keep sending these simple requests until the
>  server's memory is exhausted.
>
>  2. File descriptor leak[5]
>  Christian Kratzer and Bjoern A. Zeeb identified several file
>  descriptor leaks to child processes, such as CGI scripts, which could
>  consitute a security threat on servers that run untrusted CGI
>  scripts.
>
>  The Apache HTTP Server Project released[4] Apache version 2.0.45 to
>  address these issues, and this is the version provided via this
>  update.
>
>
> SOLUTION
>  It is recommended that all Apache users upgrade their packages.
>
>  IMPORTANT: it is necessary to manually restart the httpd server after
>  upgrading the packages. In order to do this, execute the following as
>  root:
>
>  service apache stop
>
>  (wait a few seconds and check with "ps ax|grep httpd" if there are
>  any httpd processes running. On a busy webserver this could take a
>  little longer)
>
>  service apache start
>
>
>  REFERENCES
>  1. http://httpd.apache.org/
>  2. http://www.idefense.com/advisory/04.08.03.txt
>  3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132
>  4. http://www.apache.org/dist/httpd/Announcement2.html
>  5. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17206
>
>
> UPDATED PACKAGES
>
ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_1cl.src.r
pm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_1cl.i386.r
pm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_1cl.
i386.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_1cl.i3
86.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_1
cl.i386.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_1cl.
i386.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U
90_1cl.i386.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_1cl.i386.
rpm
>
>
> ADDITIONAL INSTRUCTIONS
>  The apt tool can be used to perform RPM packages upgrades:
>
>  - run:                 apt-get update
>  - after that, execute: apt-get upgrade
>
>  Detailed instructions reagarding the use of apt and upgrade examples
>  can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
>
> - ------------------------------------------------------------------------
-
> All packages are signed with Conectiva's GPG key. The key and instructions
> on how to import it can be found at
> http://distro.conectiva.com.br/seguranca/chave/?idioma=en
> Instructions on how to check the signatures of the RPM packages can be
> found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
>
> - ------------------------------------------------------------------------
-
> All our advisories and generic update instructions can be viewed at
> http://distro.conectiva.com.br/atualizacoes/?idioma=en
>
> - ------------------------------------------------------------------------
-
> Copyright (c) 2003 Conectiva Inc.
> http://www.conectiva.com
>
> - ------------------------------------------------------------------------
-
> subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
> unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE+sAyO42jd0JmAcZARAoRzAJ4/YiZhEH/a5PKSls5bXKbPDI0bSwCdFjWO
> yLHZiBj+wWOkv+2DLxpHjHI=
> =AIKW
> -----END PGP SIGNATURE-----
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH